Package: boot-floppies
Version: 2.2.5
Severity: critical
During installation, boot-floppies set up a MBR using /sbin/install-mbr.
The installed mbr allows user to boot from a floppy by pressing any
key, then typing "F" at the prompt. Any password protection or
boot restriction defined in lilo.conf can thus be bypassed. There
should be prominent warnings in the installation procedure to
inform administrators that choosing the default choice for MBR
installation (which is to use /sbin/install-mbr) grants root privileges
to all users with access to the console.
This is a very serious security problems; several machines at this
site have been compromised at this site because of it. This report
is therefore graded "critical" and will be forwarded to debian-security.
-- System Information
Debian Release: potato
Architecture: i386
Kernel: Linux melchior 2.2.13 #1 mer nov 3 16:09:02 CET 1999 i586